Merge pull request #3181 from hosseinsh/removing-outdated-language
cleaning up outdated language
This commit is contained in:
commit
5aa37b48d3
@ -24,7 +24,7 @@ LEMUR_TOKEN_SECRET = repr(os.environ.get('LEMUR_TOKEN_SECRET',
|
|||||||
LEMUR_ENCRYPTION_KEYS = repr(os.environ.get('LEMUR_ENCRYPTION_KEYS',
|
LEMUR_ENCRYPTION_KEYS = repr(os.environ.get('LEMUR_ENCRYPTION_KEYS',
|
||||||
base64.b64encode(get_random_secret(32).encode('utf8'))))
|
base64.b64encode(get_random_secret(32).encode('utf8'))))
|
||||||
|
|
||||||
LEMUR_WHITELISTED_DOMAINS = []
|
LEMUR_ALLOWED_DOMAINS = []
|
||||||
|
|
||||||
LEMUR_EMAIL = ''
|
LEMUR_EMAIL = ''
|
||||||
LEMUR_SECURITY_TEAM_EMAIL = []
|
LEMUR_SECURITY_TEAM_EMAIL = []
|
||||||
|
@ -100,7 +100,7 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c
|
|||||||
|
|
||||||
Specifies whether to allow certificates created by Lemur to expire on weekends. Default is True.
|
Specifies whether to allow certificates created by Lemur to expire on weekends. Default is True.
|
||||||
|
|
||||||
.. data:: LEMUR_WHITELISTED_DOMAINS
|
.. data:: LEMUR_ALLOWED_DOMAINS
|
||||||
:noindex:
|
:noindex:
|
||||||
|
|
||||||
List of regular expressions for domain restrictions; if the list is not empty, normal users can only issue
|
List of regular expressions for domain restrictions; if the list is not empty, normal users can only issue
|
||||||
|
@ -22,7 +22,7 @@ def common_name(value):
|
|||||||
|
|
||||||
def sensitive_domain(domain):
|
def sensitive_domain(domain):
|
||||||
"""
|
"""
|
||||||
Checks if user has the admin role, the domain does not match sensitive domains and whitelisted domain patterns.
|
Checks if user has the admin role, the domain does not match sensitive domains and allowed domain patterns.
|
||||||
:param domain: domain name (str)
|
:param domain: domain name (str)
|
||||||
:return:
|
:return:
|
||||||
"""
|
"""
|
||||||
@ -30,10 +30,10 @@ def sensitive_domain(domain):
|
|||||||
# User has permission, no need to check anything
|
# User has permission, no need to check anything
|
||||||
return
|
return
|
||||||
|
|
||||||
whitelist = current_app.config.get("LEMUR_WHITELISTED_DOMAINS", [])
|
allowlist = current_app.config.get("LEMUR_ALLOWED_DOMAINS", [])
|
||||||
if whitelist and not any(re.match(pattern, domain) for pattern in whitelist):
|
if allowlist and not any(re.match(pattern, domain) for pattern in allowlist):
|
||||||
raise ValidationError(
|
raise ValidationError(
|
||||||
"Domain {0} does not match whitelisted domain patterns. "
|
"Domain {0} does not match allowed domain patterns. "
|
||||||
"Contact an administrator to issue the certificate.".format(domain)
|
"Contact an administrator to issue the certificate.".format(domain)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -95,7 +95,7 @@ LEMUR_TOKEN_SECRET = '{secret_token}'
|
|||||||
LEMUR_ENCRYPTION_KEYS = '{encryption_key}'
|
LEMUR_ENCRYPTION_KEYS = '{encryption_key}'
|
||||||
|
|
||||||
# List of domain regular expressions that non-admin users can issue
|
# List of domain regular expressions that non-admin users can issue
|
||||||
LEMUR_WHITELISTED_DOMAINS = []
|
LEMUR_ALLOWED_DOMAINS = []
|
||||||
|
|
||||||
# Mail Server
|
# Mail Server
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ LEMUR_ENCRYPTION_KEYS = base64.urlsafe_b64encode(get_random_secret(length=32).en
|
|||||||
|
|
||||||
|
|
||||||
# List of domain regular expressions that non-admin users can issue
|
# List of domain regular expressions that non-admin users can issue
|
||||||
LEMUR_WHITELISTED_DOMAINS = [
|
LEMUR_ALLOWED_DOMAINS = [
|
||||||
r"^[a-zA-Z0-9-]+\.example\.com$",
|
r"^[a-zA-Z0-9-]+\.example\.com$",
|
||||||
r"^[a-zA-Z0-9-]+\.example\.org$",
|
r"^[a-zA-Z0-9-]+\.example\.org$",
|
||||||
r"^example\d+\.long\.com$",
|
r"^example\d+\.long\.com$",
|
||||||
|
@ -400,7 +400,7 @@ def test_certificate_cn_admin(client, authority, logged_in_admin):
|
|||||||
from lemur.certificates.schemas import CertificateInputSchema
|
from lemur.certificates.schemas import CertificateInputSchema
|
||||||
|
|
||||||
input_data = {
|
input_data = {
|
||||||
"commonName": "*.admin-overrides-whitelist.com",
|
"commonName": "*.admin-overrides-allowlist.com",
|
||||||
"owner": "jim@example.com",
|
"owner": "jim@example.com",
|
||||||
"authority": {"id": authority.id},
|
"authority": {"id": authority.id},
|
||||||
"description": "testtestest",
|
"description": "testtestest",
|
||||||
@ -461,7 +461,7 @@ def test_certificate_incative_authority(client, authority, session, logged_in_us
|
|||||||
|
|
||||||
|
|
||||||
def test_certificate_disallowed_names(client, authority, session, logged_in_user):
|
def test_certificate_disallowed_names(client, authority, session, logged_in_user):
|
||||||
"""The CN and SAN are disallowed by LEMUR_WHITELISTED_DOMAINS."""
|
"""The CN and SAN are disallowed by LEMUR_ALLOWED_DOMAINS."""
|
||||||
from lemur.certificates.schemas import CertificateInputSchema
|
from lemur.certificates.schemas import CertificateInputSchema
|
||||||
|
|
||||||
input_data = {
|
input_data = {
|
||||||
@ -484,10 +484,10 @@ def test_certificate_disallowed_names(client, authority, session, logged_in_user
|
|||||||
|
|
||||||
data, errors = CertificateInputSchema().load(input_data)
|
data, errors = CertificateInputSchema().load(input_data)
|
||||||
assert errors["common_name"][0].startswith(
|
assert errors["common_name"][0].startswith(
|
||||||
"Domain *.example.com does not match whitelisted domain patterns"
|
"Domain *.example.com does not match allowed domain patterns"
|
||||||
)
|
)
|
||||||
assert errors["extensions"]["sub_alt_names"]["names"][0].startswith(
|
assert errors["extensions"]["sub_alt_names"]["names"][0].startswith(
|
||||||
"Domain evilhacker.org does not match whitelisted domain patterns"
|
"Domain evilhacker.org does not match allowed domain patterns"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@ -674,7 +674,7 @@ def test_csr_empty_san(client):
|
|||||||
|
|
||||||
|
|
||||||
def test_csr_disallowed_cn(client, logged_in_user):
|
def test_csr_disallowed_cn(client, logged_in_user):
|
||||||
"""Domain name CN is disallowed via LEMUR_WHITELISTED_DOMAINS."""
|
"""Domain name CN is disallowed via LEMUR_ALLOWED_DOMAINS."""
|
||||||
from lemur.common import validators
|
from lemur.common import validators
|
||||||
|
|
||||||
request, pkey = create_csr(
|
request, pkey = create_csr(
|
||||||
@ -683,12 +683,12 @@ def test_csr_disallowed_cn(client, logged_in_user):
|
|||||||
with pytest.raises(ValidationError) as err:
|
with pytest.raises(ValidationError) as err:
|
||||||
validators.csr(request)
|
validators.csr(request)
|
||||||
assert str(err.value).startswith(
|
assert str(err.value).startswith(
|
||||||
"Domain evilhacker.org does not match whitelisted domain patterns"
|
"Domain evilhacker.org does not match allowed domain patterns"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def test_csr_disallowed_san(client, logged_in_user):
|
def test_csr_disallowed_san(client, logged_in_user):
|
||||||
"""SAN name is disallowed by LEMUR_WHITELISTED_DOMAINS."""
|
"""SAN name is disallowed by LEMUR_ALLOWED_DOMAINS."""
|
||||||
from lemur.common import validators
|
from lemur.common import validators
|
||||||
|
|
||||||
request, pkey = create_csr(
|
request, pkey = create_csr(
|
||||||
@ -704,7 +704,7 @@ def test_csr_disallowed_san(client, logged_in_user):
|
|||||||
with pytest.raises(ValidationError) as err:
|
with pytest.raises(ValidationError) as err:
|
||||||
validators.csr(request)
|
validators.csr(request)
|
||||||
assert str(err.value).startswith(
|
assert str(err.value).startswith(
|
||||||
"Domain evilhacker.org does not match whitelisted domain patterns"
|
"Domain evilhacker.org does not match allowed domain patterns"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user